Noninterference for Operating System Kernels

Murray, Toby; Matichuk, Daniel; Brassil, Matthew; Gammie, Peter; Klein, Gerwin

doi:10.1007/978-3-642-35308-6_12

Cited by 56 publications

(44 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some target information ow properties [7,12,15,18], based on variants of noninterference [11]. Other work establishes a re nement relation between kernel code, in some representation, and an abstract speci cation.…”

Section: Related Workmentioning

confidence: 99%

“…As is the case with most re nement/simulation-based approaches, this work does not address information ow. In recent work on seL4 veri cation, Murray et al [14,15] present an unwinding-style characterization of intransitive noninterference. They introduce a proof calculus on nondeterministic state monads that is similar to that of this work.…”

Section: Related Workmentioning

confidence: 99%

“…For security, the kernel and the processor must both be correct and agree on their mode of interaction. Most formal kernel analyses in the literature [7,12,13,15,18] address the kernel software itself, in source or binary form, and leave the properties of the instruction set architecture (ISA) to be handled by at. Our contribution is to suggest a possible approach, including tool support, for performing the ISA speci c security analysis, speci cally for user mode execution.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Khakpour

Schwarz

Dam

2013

Certified Programs and Proofs

View full text Add to dashboard Cite

Abstract. In this paper, we formally verify security properties of the ARMv7 Instruction Set Architecture (ISA) for user mode executions. To obtain guarantees that arbitrary (and unknown) user processes are able to run isolated from privileged software and other user processes, instruction level noninterference and integrity properties are provided, along with proofs that transitions to privileged modes can only occur in a controlled manner. This work establishes a main requirement for operating system and hypervisor veri cation, as demonstrated for the PROSPER separation kernel. The proof is performed in the HOL4 theorem prover, taking the Cambridge model of ARM as basis. To this end, a proof tool has been developed, which assists the veri cation of relational state predicates semi-automatically.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Khakpour

Schwarz

Dam

2013

Certified Programs and Proofs

View full text Add to dashboard Cite

show abstract

“…In the ongoing proof of confidentiality for the seL4 microkernel [6], a proof calculus was used to formalize an upper bound on the information that a function can read. This involves reasoning about multiple executions of a function, which cannot be easily expressed in Hoare logic.…”

Section: Case Study: Sel4mentioning

confidence: 99%

“…Function annotations can still be used when proving such a property by explicitly turning annotations into assertions, effectively converting back into a standard function while retaining some information from the annotations. The standard confidentiality calculus [6] can then be applied and make use of the assertions.…”

Section: Case Study: Sel4mentioning

confidence: 99%

Automatic Function Annotations for Hoare Logic

Matichuk¹

2012

Electron. Proc. Theor. Comput. Sci.

Self Cite

View full text Add to dashboard Cite

In systems verification we are often concerned with multiple, inter-dependent properties that a program must satisfy. To prove that a program satisfies a given property, the correctness of intermediate states of the program must be characterized. However, this intermediate reasoning is not always phrased such that it can be easily re-used in the proofs of subsequent properties. We introduce a function annotation logic that extends Hoare logic in two important ways: (1) when proving that a function satisfies a Hoare triple, intermediate reasoning is automatically stored as function annotations, and (2) these function annotations can be exploited in future Hoare logic proofs. This reduces duplication of reasoning between the proofs of different properties, whilst serving as a drop-in replacement for traditional Hoare logic to avoid the costly process of proof refactoring. We explain how this was implemented in Isabelle/HOL and applied to an experimental branch of the seL4 microkernel to significantly reduce the size and complexity of existing proofs.

show abstract

Studying shadow page cache to improve isolated drivers' performance

Zheng

Zhu

Dong

et al. 2017

Concurrency and Computation

View full text Add to dashboard Cite

Summary Using virtualization technology, users can reuse various existing operating systems and drivers to customize their application environments. However, faults that exist in the reused drivers threaten the users' customized environments. Chariot has been proposed to solve this problem. It isolates a driver by monitoring its real‐time performance and examining the correctness of its write operations. To capture the write operations, we found that it needs to keep the write permissions of shadow pages as read‐only, which may cause many page faults in the virtual machine monitor and has adversely affect the driver's performance. To address this, we propose a new algorithm that uses the shadow page cache to remit the page faults, based on the principle of delaying the closing of the write permissions of frequently accessed shadow pages. Experimental results show that using these shadow page caches, we can greatly the performance of isolated drivers without significantly impacting Chariot's isolation efficiency.

show abstract

Noninterference for Operating System Kernels

Cited by 56 publications

References 19 publications

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Automatic Function Annotations for Hoare Logic

Studying shadow page cache to improve isolated drivers' performance

Contact Info

Product

Resources

About